As it had done for Hurricane Harvey in Texas and Louisiana, and for Hurricane Irma in Florida, the U.S. Department of Health and Human Services (HHS) issued a limited waiver of HIPAA sanctions and penalties for covered entities in Puerto Rico and the U.S. Virgin Islands in the aftermath of Hurricane Maria.

The waivers are primarily intended to relax some of the administrative requirements under the HIPAA Privacy Rule for 72 hours, to lessen the administrative burden on hospitals immediately after a disaster protocol was instituted. The waivers thereby give hospitals in the emergency area a better chance to catch up with a sudden influx of patients.

However, the majority of HHS’s four-page hurricane bulletin template is devoted to reminding people of HIPAA provisions that already existed. For example, in an emergency, a hospital may share a patient’s information for legitimate public health reasons without his or her authorization, or inform third parties or the general public in certain situations that someone is a patient at the facility. Facilities already had broad flexibility to communicate with patients’ relatives and friends, relief organizations, and the general public as necessary or appropriate.

Just as the number of recent enforcement actions for HIPAA violations indicates that certain requirements are still not fully appreciated by some healthcare providers, in issuing the hurricane bulletins, HHS clearly wanted to remind providers that in other respects, HIPAA is already more flexible than many realize.